On March 20, 2026, Oklahoma Governor Stitt signed the first new comprehensive state privacy law of 2026. The “Act relating to data privacy” is in force on January 1, 2027. In this post, we compare the new Oklahoma privacy law to the other 20 state consumer privacy laws already in force below.
HOW THE OKLAHOMA PRIVACY LAW COMPARES
The Oklahoma privacy law includes similar obligations to other state consumer privacy laws but generally does not set any new “high water mark.”
1. WHO IS A CONSUMER AND WHAT DATA IS PROTECTED?
Like the other non-California state consumer privacy laws, the Oklahoma privacy law protects a traditional “consumer,” which means an individual who is a resident of this state acting only in an individual or household context. The definition of consumer excludes individuals acting in an employment or commercial (B2B) context (Section 1(8)).
Like its predecessors, the Oklahoma privacy law protects “personal data,” which means information that is linked or reasonably linkable to an identified or identifiable individual.
Personal data also includes “pseudonymous data.” Pseudonymous data is personal data that cannot be attributed to a specific individual without the use of additional information and is “kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.” (Section 1(26).) Pseudonymous data also must be “used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” (Section 1(19).) This definition tracks many of the other state consumer privacy laws (e.g., the consumer privacy law in neighboring Texas) and the GDPR (i.e., Art 4(5) (definition of pseudonymization)). When the controller can demonstrate that personal data is pseudonymous, the controller is not obligated to comply with consumer rights requests (except for the opt-out of targeted adverting, sale and profiling (described in 6 below)) and certain controller duties (e.g., data minimization and reasonable security practices). (Section 11(C).)
Like the other state consumer privacy law, the definition of personal data excludes:
- de-identified data, which means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to the individual (Section 1 (13)). To maintain the exclusion, the controller must take reasonable measures to ensure that the data cannot be associated with an individual, protect against reidentification (including by contractual obligations on recipients of the de-identified data) and to commit not to re-identify. (Section 11(A).)
- publicly available information, which is information that is “lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience” (Section 1(27)).
Also excluded are data related to job applicants and data relating to employment, as long as these types of data are used solely for recruitment and employment purposes (Section 16(15)-(17)).
NOTE: The California Consumer Privacy Act (CCPA) remains the one of the state consumer privacy laws that generally applies to personal data collected in an employment and B2B context. The Colorado privacy law applies to biometric data of employees and prospective employees only.
2. WHAT ORGANIZATIONS ARE IN SCOPE?
The Oklahoma privacy law applies to a controller or processor that:
- Conducts business in Oklahoma or produces a product or service targeted to the “residents of this state”; and
- During a calendar year, either:
- controls or processes personal data of at least one hundred thousand (100,000) consumers; or
- controls or processes personal data of at least twenty-five thousand (25,000) consumers and derives over fifty percent (50%) of gross revenue from the sale of personal data.
Only the state consumer privacy laws of Nebraska and Texas do not have processing thresholds.
NOTE: Like the state consumer privacy laws of Kentucky and Iowa, the processing thresholds in the Oklahoma privacy law are relatively high compared to Oklahoma’s population (approximately 4.12 million residents) – matching those of more populous states like Virginia (almost 9 million residents), Tennessee (almost 8 million residents) and Indiana (approximately 7.2 million residents).
3. WHAT DATA AND ORGANIZATIONS ARE NOT SUBJECT TO THE OKLAHOMA PRIVACY LAW?
Like the other state consumer privacy laws, the Oklahoma privacy law has several entity-level and data-level exemptions, including:
- Nonprofit organizations that are exempt from taxation under IRC § 501(c)(3), (6), or (12) as well as certain non-profits organized under Oklahoma law.
- Covered entities and business associates and protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA) and information deidentified according to HIPAA (per Section 16(7)), as well as all other “information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, exempt information that is maintained by a covered entity or business associate” (per Section 16(8)). (Other health care-related exemptions include identifiable private information for purposes of the Common Rule and patient safety work product for purposes of the Patient Safety and Quality Improvement Act.)
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA). (Section 15(B)(2).)
- Data processed as authorized by the Fair Credit Reporting Act (FCRA). (Section 16(11).)
- Data subject to the Driver’s Privacy Protection Act and Family Educational Rights and Privacy Act (among others). (Section 16.)
- Institutions of higher education
- State and local government agencies, or a service provider processing data on behalf of a state agency or political subdivision of Oklahoma. (Section 15(B)(1).)
NOTE: The Oklahoma privacy law contains many of the exemptions familiar from the other state consumer privacy laws, although the exemptions are not uniform across the 21 laws. The consumer privacy laws of California, Minnesota and Montana do not have entity-level exemptions for financial institutions under the GLBA. The consumer privacy laws of California, Colorado, Delaware, New Jersey, Maryland, Minnesota and Oregon do not have entity-level exemptions for covered entities and business associates under HIPAA. The consumer privacy laws of Colorado, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Jersey and Oregon do not have exemptions for all or most non-profit organizations.
4. WHAT IS AND IS NOT A “SALE OF PERSONAL DATA”?
The Oklahoma privacy law defines “sale of personal data” as an exchange of personal data by a “controller” to a “third party” for monetary (only) consideration.
NOTE: Oklahoma is one of seven state consumer privacy laws that narrowly define a “sale” as an exchange for monetary (only) consideration (the other six are Indiana, Iowa, Kentucky, Tennessee, Utah, and Virginia).
The Oklahoma privacy law defines a “controller” as a legal or natural person that, alone or jointly, determines the purpose and means of processing personal data (Section 1(9)) and a “third party” as an individual or legal entity that is not a controller, processor or a controller’s or processor’s affiliate. An “affiliate” is an entity that shares common branding with another legal entity, controls, is controlled by or is under common control with another legal entity. (Section 1(1).)
NOTE: Similar to the Rhode Island privacy law, the Oklahoma privacy law’s definition of affiliate is broader than many of the other state consumer privacy law because of the “common branding” inclusion.
The Oklahoma privacy law (Section 1(28)) excludes from the definition of sale:
- The disclosure of personal data to a processor that processes the personal data on behalf of the controller,
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer, (some states customer privacy laws require that the consumer request is made “affirmatively”),
- The disclosure or transfer of personal data to an affiliate of the controller (but not to an affiliate of a processor),
- The disclosure of information or personal data that the consumer: (i) intentionally made available to the public through a mass media channel; and (ii) did not restrict to a specific audience,
- The disclosure of information or personal data that the consumer directs the controller to disclose or intentionally uses the controller to interact with a third party, or
- The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
These exclusions are typical of most of the state consumer privacy laws.
5. WHAT NOTICE REQUIREMENTS APPLY?
The privacy notice requirements are in Section 8(A) of the Oklahoma privacy law and require that the controller post a privacy notice that includes:
- Categories of personal data processed by the controller
- The purpose for processing personal data
- How consumers may exercise their consumer rights, including the process by which a consumer may appeal
- The categories of personal data that the controller shares with third parties, if applicable
- The categories of third parties with whom the controller shares personal data, if applicable.
A controller that sells personal data or processed personal data for targeted advertising must “disclose such […] process and the manner in which a consumer may exercise the right to opt out of such process.” (Section 8(B).) Like the other non-California state consumer privacy law, the Oklahoma privacy law defines “targeted advertising” as online advertising based on personal data obtained from a consumer’s online activity over time and across nonaffiliated “websites and online applications” to predict a consumer’s preferences or interests. (Section 1(31).)
The privacy notice must “clearly and conspicuously” disclose its targeted adverting practices and how to opt-out.
6. WHAT RIGHTS ARE AVAILABLE FOR CUSTOMERS IN THE OKLAHOMA PRIVACY LAW?
The Oklahoma privacy law offers consumers these privacy rights:
- Right to confirm whether a controller is processing the consumer’s personal data and to access that personal data.
- Right to correct inaccuracies in the consumer’s personal data.
- Right to delete personal data provided by or obtained about the consumer.
- If the controller did not receive the personal data from the consumer, then the controller must retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using the retained data for any other purpose; or opting the consumer out of the processing of that personal data for any purpose other than is exempt by the Oklahoma privacy law. (Section 3(F).)
- Right to opt out of processing personal data for:
- targeted advertising (see 5. above)
- sale of personal data (see 4. above)
- profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
- The term “profiling” means solely automated personal data processing to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (Section 1(24)); and “decision that produces legal or similarly significant effect concerning a consumer” means a controller’s decision that results in the provision or denial by the controller of financial and lending services, housing, insurance, or health care services, education enrollment, employment opportunities, criminal justice, or access to basic necessities such as food and water. (Section 1(12).)
The controller must offer a secure and reliable means to exercise privacy rights. A parent or a legal guardian may exercise the consumer rights on behalf of a known child (under 13 years of age). (Section 2(A).)
The Oklahoma privacy law does not require that a controller recognize universal opt-out mechanisms – like seven other state consumer privacy laws.
7. WHAT ARE THE CONTROLLER’S OBLIGATIONS IN RESPONDING TO A CUSTOMER PRIVACY RIGHTS REQUEST?
Timing: The timing requirements for responding to privacy rights requests are similar to most of the other state consumer privacy laws. A controller has up to 45 days after receipt of a consumer’s privacy rights request to respond, subject to a 45-day extension when “reasonably necessary” and after informing the consumer of the delay and reason for it. In responding to a request, the controller must provide information free of charge and twice annually per consumer, although the controller may charge a reasonable fee or decline a request if a request is manifestly unfounded, excessive or repetitive. If a controller declines the consumer’s request, the controller must inform the consumer within 45 days after receipt of request the reasons for declining and instructions for how to appeal the decision. (Section 3.)
The controller is obligated to respond to a consumer request free of charge up to twice during a 12-month period. The controller can charge for an excessive, manifestly unfounded, or repetitive request but bears the burden of proof as to excessiveness.
Authentication of Customer Request: A controller is not required to comply with a privacy rights request that the controller cannot authenticate but must provide notice to the consumer that additional information is needed to authenticate.
Authorized agents: Similar to some of the other State Consumer Privacy Laws, the Oklahoma privacy law is silent on a consumer’s ability to designate an authorized agent to exercise privacy rights on behalf of a consumer.
Appeals: A controller must allow a consumer to appeal when the controller refuses to act on a consumer’s request and ensure that the appeal process is “conspicuously available.” Within 60 days, the controller must provide a written explanation of the reason or reasons for the decision. If the appeal is denied, the consumer can submit a complaint to the Attorney General. (Section 4(B).) (Only the state consumer privacy law of Utah and California do not allow for appeals.)
8. ARE CONTROLLERS REQUIRED TO CONDUCT DATA PROTECTION ASSESSMENTS?
A controller is required to conduct and document a data protection assessment (Section 10) for each of the following processing activities:
- Processing personal data for targeted advertising
- Sale of personal data
- Processing personal data for profiling, if the profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on consumers, (ii) financial, physical or reputational injury to consumers, (iii) physical or other intrusion upon solitude, seclusion, or private affairs that would be offensive to a reasonable person or (iv) other substantial injury to consumers
- Processing of sensitive data (see 9. below)
- Any processing activities involving personal data that present a heightened risk of harm to consumers
The assessment requirements are not retroactive – they apply only to processing activities “that commence on or after” after January 1, 2027 (the same date on which the Oklahoma privacy law is in force).
The Attorney General may request a data protection assessment that is relevant to an investigation and evaluate it for compliance with the Oklahoma privacy law. Although the Oklahoma privacy law is light on compliance requirements when compared to other state consumer privacy laws, a data protection assessment that complies with another applicable law is deemed to satisfy the Oklahoma privacy law’s requirements. Any data protection assessment provided to the state regulator remains confidential and the disclosure does not constitute a waiver of attorney-client privilege or work product protection. (Section 10(C).)
Of the 21 state consumer privacy laws, only the laws of Iowa and Utah do not have some form of assessment requirement. By regulation, Colorado and California mandate very detailed requirements for conducting and documenting assessments.
9. WHAT OTHER OBLIGATIONS APPLY TO CONTROLLERS?
The Oklahoma privacy law includes many of the same controller obligations as the preceding 20 state consumer privacy law, including:
Role based processing agreements
A controller must enter into a binding personal data processing agreement with each of its processors that:
- sets out processing instructions, the nature, purpose and duration of processing, the type of personal data subject to processing, and the rights and obligations of each party;
- contractually imposes a duty of confidentiality with respect to the personal data;
- requires the processor to return or delete (at the controller’s discretion) all personal data at the end of provision of the processor’s services unless retention is required by law;
- upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the Oklahoma privacy law; and
- allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
A processor must ensure that all subcontractors handling the controller’s personal data are bound by a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data. These requirements add nothing not already applicable under other state consumer privacy laws.
(These role-based processing requirements are in Section 9(B) of the Oklahoma privacy law.)
Processing obligations related to sensitive data
The Oklahoma privacy law defines “sensitive data” as a category of personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive data also includes genetic data or biometric data processed to uniquely identify an individual, personal data collected from a known child (same as COPPA – under age 13), or precise geolocation data (with 1,750’ radius).
Like most state consumer privacy laws, a controller may not process sensitive data without obtaining the consumer’s (opt-in) consent or, for a child, in parental consent in compliance with COPPA. (Section 3(B)(4).)
Consent
An express consent requirement applies only to sensitive data processing. Similar to the other state consumer privacy laws, a controller may not process personal data (except as otherwise provided by the Oklahoma privacy law) for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. The Oklahoma privacy law does not expressly provide for the right to revoke consent.
Other obligations in the Oklahoma privacy law include reasonable data security practices, no discrimination against a consumer for exercising privacy rights and data minimization.
10. WHAT ARE THE CONSEQUENCES OF NONCOMPLIANCE?
The Attorney General has exclusive enforcement power, i.e., no private right of action is available. The Oklahoma privacy law does allow for a 30-day cure period following notification of a violation from the Attorney General. The Attorney General may enforce the Oklahoma privacy law with fines not exceeding $ 7,500, reasonable attorney fees and other expenses. The Attorney General may also bring an action to restrain or enjoin the person from violating the Oklahoma privacy law or recover the civil penalty and seek injunctive relief.
OTHER PRIVACY LAW NEWS WE ARE FOLLOWING
An amendment to Utah’s Consumer Privacy Act (HB 357) was signed into law on March 19, 2026. The bill amends the thresholds of the Consumer Privacy Act, so that it applies to motor vehicle manufacturers regardless of the applicability thresholds. The amendment also adds additional requirements for a motor vehicle with a model year 2030 or later. The amendments are effective beginning January 1, 2027.
Maryland’s HB 711 passed the House and is in the Senate. If passed in its current form, HB711 would amend the Maryland Online Data Privacy Act to prohibit a controller from selling the personal data of a consumer to a purchaser who seeks to use the data for immigration enforcement.
In Connecticut, a proposed amendment to its Data Privacy and Online Monitoring Act (SB 4) seeks to add a data broker registration provision, an algorithmic pricing disclosure provision, and amendments relating to facial recognition technology, publicly available information, employment profiling, and precise geolocation data.
* * * * *
To help you stay up to date, Privacy Powered by SPB offers a subscription for access to comparative reference charts for the state consumer privacy laws.
Privacy World will continue to cover privacy law developments in the US and around the world. Please contact the authors for more information.
The authors are grateful to Mary Aldrich, Paralegal, New York, for her assistance.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.